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DETAILED ACTION 

The text of those sections of Title 35, U.S. Code not included in this action can 
be found in a prior Office action. The previous office action(s) is/are incorporated by 
reference in its/their entirety. The examiner assumes that the applicant agrees with any 
well-known prior art statements and/or rejections made by the examiner in the previous 
office action(s) that were not argued. Any rejections not repeated below for record are 
withdrawn due to applicant's amendments and/or arguments. 

Claims 1, 7, 18, 24, 30, and 35-36 were amended. Claims 1-39 are pending. 
Information Disclosure Statement 

Not all of the items in the IDS submitted on 7/5/2005 were considered as they 
failed to meet the requirements of CFR 1 .98. They failed to meet the requirements 
because it appears that several sheets of the IDS submitted were mistakenly submitted 
with the current applicant when they were clearly labeled as belonging to other 
applications, i.e. 10/122,599 and 10/367,462. 

Response to Amendment 

The examiner has noted applicant's amendments to the claims. 

Response to Arguments 

Applicant's arguments with respect to claim 1-39 have been considered but are 
moot in view of the new ground(s) of rejection. 



Claim Rejections - 35 USC §112 

The following is a quotation of the second paragraph of 35 U.S.C. 112: 
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The specification shall conclude with one or more claims particularly pointing out and distinctly 
claiming the subject matter which the applicant regards as his invention. 

Claims 1-39 are rejected under 35 U.S.C. 112, second paragraph, as being 

indefinite for failing to particularly point out and distinctly claim the subject matter which 

applicant regards as the invention. 

1 . As per claim 1 , it is unclear what the subject of the verb "comprising" recited on 
line 2 is. The examiner notes that the subject could be "a security system", "a 
protected resource or application", or "an application container." 

2. Claim 1 recites, "the callback handler" on line 9 and "the output" on line 10, which 
lacks antecedent basis. 

3. Claim 1 recites, "the protected application" on lines 11-12 and "said protected 
application" on lines 13-14. It is unclear of both refer to the same "a protected 
application" recited in line 4. 

4. As per claim 18, it is unclear what the subject of the verb "comprising" recited on 
line 2 is. 

5. Claim 18 recites, "the security service" on line 6, "the callback handler" on line 
11, "the output" on line 14, and "the security providers" on line 14, which lacks 
antecedent basis. 

6. Claim 35 recites "the application container" on lines 7-8 which lacks antecedent 
basis. 

7. Claim 36 recites "said request", "said entitlement", and "the user of said protected 
resource", which lacks antecedent basis. 

8. Any claims not specifically addressed are rejected by virtue of dependency. 
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9. Appropriate corrections are required. 

Claim Rejections - 35 USC § 103 
The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 102 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 



Claim 1-2, 5-13, 15-19, 22-30, 32-39 are rejected under 35 U.S.C. 103(a) as 
being unpatentable over Wiederhold (US 6,226,745) in view of Devine et al (US 
6,606,708). 
Claim 1: 

Wiederhold discloses a security system for allowing a client to access a 
protected resource, comprising: 

1 . An application interface mechanism for receiving a request from a client to 
access a protected resource, and communicating said request to a security 
service (col 4, lines 56-58), wherein the client makes the request on the 
application container and the application container calls the security service with 
the request (Fig 2). 

2. A security service, i.e. security mediator and security officer, for making a 
decision to permit or deny said request (col 5, lines 1-10), wherein the security 
service includes a plurality of security providers that may be plugged into the 
security service (col 4, lines 7-13 and col 5, lines 34-51). 
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3. A resource interface for communicating permitted access request to said 
protected resource (col 4, lines 49-55). 

Note that an application interface mechanism for receiving requests from a client 
application must exist or the mediator disclosed by Wiederhold would not be able to 
receive/intercept queries related to a protected resource. An application container is an 
environment in which an application runs. This can include hardware or software. If an 
application exists, an application container must also exist. Further, as the security 
mediator is software, the client can only make requests to software via the use of an 
application and application container. 

Wiederhold does not disclose a security system for allowing a client to access a 
protected resource or application, said application including an application 
container. Wiederhold also does not disclose a protected resource is a protected 
application, the application container calls the security service with the request and a 
callback, wherein the security providers use the callback handler to request context 
information from the application container for the request, and wherein depending on 
the output from the security providers the security service determines an entitlement for 
the client to use with the protected application. 

However, Devine discloses a protected resource is an application, said 
application including an application container (col 27, lines 15-22). Devine also 
discloses that his invention uses a GUI interface (col 2, lines 60-65), which reads on the 
use of callback and callback handlers as modern GUI systems uses callback 
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programming styles. Devine discloses on Figure 6 a username and password login 
interface. Further, Devine discloses that the services available to a user once the user 
logs in depend on the subscription of the user (col 3, lines 32-42). These teachings by 
Devine reads on the limitation of security providers using a callback handler to request 
context information from the application container for the request as the user is 
requested to enter authentication information via a GUI interface so that the system can 
determine to what services the user is entitled. These teachings also read on the 
limitation of wherein depending on the output from the security providers the security 
service determines an entitlement for the client to use with the protected application. 

In light of the above teachings by Devine, it would have been obvious to one of 
ordinary skill in the art at the time the applicant's invention was made to have modified 
Wiederhold's invention according to the limitations recited in claim 1. One of ordinary 
skill would have been motivated to incorporate Devine's teachings as he discloses that 
his teachings would allow for the use of a GUI interface to allow easy and convenient 
access from the user's perspective (col 2, lines 60-65). 
Claim 18: 

Wiederhold discloses a method of allowing a client to access a protected 
resource, comprising: 

1 . Receiving at an application container a request from a client to access a 
protected resource (col 4, lines 56-58). 

2. Communication the request from the application container to the security service 
(col 4, lines 56-58). 
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3. Making a decision at said security service to permit or deny said access request 
(col 5, lines 1-10), wherein the security service includes a plurality of security 
providers that may be plugged into the security service (col 4, lines 7-13 and col 
5, lines 34-51). 

4. Communicating a permitted request to the protected resource (col 4, lines 49- 
55). 

Wiederhold does not disclose the protected resource is an application, said 
application including an application container. Wiederhold also does not disclose 
communicating the request from the application container to the security service 
together with a callback. Wiederhold also does not disclose using the callback 
handler at each security provider to request context information from the application 
container for the request, determining an entitlement for the client to use with the 
protected application depending on thef output from the security providers. 

However, Devine discloses a protected resource is an application, said 
application including an application container (col 27, lines 15-22). Devine also 
discloses that his invention uses a GUI interface (col 2, lines 60-65), which reads on the 
use of callback and callback handlers as modern GUI systems uses callback 
programming styles. Devine discloses on Figure 6 a username and password login 
interface. Further, Devine discloses that the services available to a user once the user 
logs in depend on the subscription of the user (col 3, lines 32-42). These teachings by 
Devine read on the above limitations that were not met by Wiederhold. 
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In light of the above teachings by Devine, it would have been obvious to one of 
ordinary skill in the art at the time the applicant's invention was made to have modified 
Wiederhold's invention according to the limitations recited in claim 18. One of ordinary 
skill would have been motivated to incorporate Devine's teachings as he discloses that 
his teachings would allow for the use of a GUI interface to allow easy and convenient 
access fro the user's perspective (col 2, lines 60-65). 
Claims 2 and 19: 

Wiederhold further discloses said application interface mechanism includes an 
application container for reading an application deployment description and registering 
said deployment description within the security service (col 3, lines 37-46). 
Claims 5 and 22: 

Wiederhold further discloses: 

1 . Defining an access policy via a plurality of access decision mechanisms within 
said security service (col 3, lines 37-45; fig 3, item 100; and fig 4, item 200). 

2. Determining at each access decision mechanism a contributory decision to 
permit, deny, or abstain from said access request (col 5, 1 st paragraph). 

The examiner has interpreted "access decision mechanisms" as broadly as 
reasonable to include any rule, procedure, device, data structure, or function that is 
used by the security service to define an access policy. 
Claims 6 and 23: 
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Wiederhold further discloses transferring via said access controller said access 
request to said plurality of access decision mechanisms, and combining contributory 
decisions into an overall decision by the security service to permit or deny said access 
request (col 3, lines 37-64). 
Claims 7 and 24: 

Wiederhold further discloses said contributory access decision mechanisms 
represent a business function related access policy (col 3, lines 37-64 and col 5, lines 
11-16). The examiner has interpreted "business function related access policy" to mean 
any sort of access policy as any access policy can affect the way a business operates. 
Claims 8 and 25: 

Wiederhold further discloses access decisions may be added to the security 
service to reflect changes in the access policy (col 5, lines 34-41). 
Claims 9 and 26: 

Wiederhold further discloses said access decision mechanisms are used to 
define an entitlement for said client to access said protected resource (col 4, last 
paragraph). 
Claims 10 and 27: 

Wiederhold further discloses a deny or abstain by any one of said access 
decision mechanisms cause the security service to deny the access request (col 5, 1 st 
paragraph and col 6, lines 5-10). 
Claims 11 and 28: 
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Wiederhold further discloses an abstain by any one of said decision mechanisms 
does not cause the security service to deny the access request (col 5, 1 st paragraph). 
Claims 12 and 29: 

Wiederhold further discloses auditing via said audit mechanism the 
determinations of said plurality of access requests (col 5, last paragraph and col 6, lines 
1-2). 

Claim 13: 

Wiederhold further said resource interface includes passing requests via an 
interface mechanism to or from a protected resource (col 5, lines 28-31 and col 5, lines 
56-61). 
Claim 30: 

Wiederhold further disclose said step of communicating the request includes 
passing requests via an interface mechanism to or from the protected resource (col 5, 
lines 28-31 and col 5, lines 56-61). 
Claims 15 and 32: 

Wiederhold discloses said interface mechanism includes a security provider 
interface (col 4, last paragraph). 

The examiner has interpreted a "security provider interface" as any mechanism 
which allows a user or application to access the resource in secure manner. In the case 
of Wiederhold's invention, the security service itself is the security provider interface as 
it filters the results of an access query to disclose only the parts of a secure resource 
that a user or application has proper entitlement to have. 
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Claims 16 and 33: 

Wiederhold does not disclose said interface mechanism is included as a plug-in 
in said resource interface. However, it would have been obvious to one of ordinary skill 
in the art at the time of the applicant's invention to modify Wiederhold and Devine's 
combination invention so that the interface mechanism is included as a plug-in in the 
resource interface as doing so would increase the scalability of the invention. If one 
were to implement the invention using Java arid as a web application, Java itself is a 
plug-in for various web browsers, therefore any interface mechanism employed using 
Java would have to be a plug-in by nature. Note Devine discloses that his invention 
uses Java and Java applets (col 3, lines 3-8). Therefore, the limitation recited in claims 
16 and 33 is obvious to the combination invention of Wiederhold and Devine. 
Claims 17 and 34: 

Wiederhold further discloses making a decision on whether to permit or deny a 
response to said access request from said protected resource to said client (col 4, last 
paragraph). 
Claim 35: 

Wiederhold discloses a method for determining a user entitlement to access 
protected resources in a secure environment, comprising: 

1. Receiving an access requests from a user application to access a protected 
resource (fig 2 and col 4, last paragraph), by invoking a security service with said 
access request (fig 2 and col 3, lines 22-26). 
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2. Determining a user entitlement to access said protected resource (col 3, lines 37- 
45). 

3. Making a decision at said security service based on said user entitlement to 
permit or deny said access request (col 5, 1 st paragraph). 

4. The steps of either: 

a. Communicating a permitted access request to said protected resource (col 
5, 1 st paragraph), or 

b. Denying a denied access request to said protected resource (col 5, 1 st 
paragraph). 



Wiederhold does not disclose invoking a security service with said access 
request and a callback. Wiederhold also does not explicitly disclose wherein said 
determining includes polling a plurality of security providers that may be plugged into 
the security service, and wherein the security providers use a callback handler to 
request context information from the application container for the request. 

However, Wiederhold discloses that his invention is to provide a portal which can 
collaborate with existing security technologies (col 4, lines 7-14). Wiederhold further 
discloses security rules which can be plugged into his security system (col 5, lines 34- 
51). Wiederhold discloses that to access a resource, the query for the resource must 
pass all the rule requirements (col 6, lines 5-10). These teachings by Wiederhold read 
on polling a plurality of security providers that may be lugged into the security service. 
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The examiner believes that both the security rules and existing security technologies 
are security providers. 

Further, Devine discloses a protected resource is an application, said application 
including an application container (col 27, lines 15-22). Devine also discloses that his 
invention uses a GUI interface (col 2, lines 60-65), which reads on the use of callback 
and callback handlers as modern GUI systems uses callback programming styles. 
Devine discloses on Figure 6 a username and password login interface. Further, 
Devine discloses that the services available to a user once the user logs in depend on 
the subscription of the user (col 3, lines 32-42). These teachings by Devine read on 
invoking a security service with said access request and a callback and the security 
providers use a callback handler to request context information from the application 
container for the request. 

In light of the above, it would have been obvious to one of ordinary skill in the art 
at the time the applicant's invention was made to have modified Wiederhold's invention 
using Devine's teachings according to the limitations recited in claim 35. One of 
ordinary skill would have been motivate to do so for the same reasons given in claim 1. 
Claim 36: 

Wiederhold does not explicitly disclose if said request is permitted said 
entitlement also determines a type of access available to the user of said protected 
resource. However, the examiner asserts that the limitation is well known in the art of 
security, i.e. once a user is granted access to a resource, it is common to also 
determine the level of access the user has for that resource, such as read-only or read- 
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write access. Further, Wiederhold discloses that existing security technologies are used 
to define who is allowed access to what, how, and when (col 4, lines 7-14). 

It would have been obvious to one of ordinary skill to further modify Wiederhold 
and Devine's combination invention according to the limitation recited in claim 36. One 
of ordinary skill would have been motivated to do so as it would allow the security 
system to control the level of user access to a resource, i.e. how and when a resource 
may be accessed. 
Claim 37: 

Wiederhold further discloses said type of access includes any of view, modify, 
delete, or copy, any part or all of said protected resource (col 6, lines 19-32). View, 
modify, delete, or copy, any part or all of a resource are the types of functions normally 
performed on a resource when performing database queries. 
Claim 38: 

Wiederhold further discloses said user entitlement can be communicated from a 
first security realm to a second security realm (col 5, 1 st paragraph). The examiner has 
interpreted a security realm as any individual portion of the overall system. In this case, 
the security mediator, security officer, protected resource, and client are all separate 
security realms. 
Claim 39: 

Wiederhold further discloses additional information from a first security realm can 
be used to modify the user entitlement, prior to communicating information about said 
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user entitlement from said first security realm to said second security realm (col 5, 1 st 
paragraph). 

Claims 3-4 and 20-21 are rejected under 35 U.S.C. 103(a) as being unpatentable 
over Wiederhold (US 6,226,745) and in view of Devine et al (US 6,606,708) and further 
in view ofjavaworld.com. 
Claims 3 and 20: 

Wiederhold does not disclose said application container is an Enterprise Java 
Bean container. However, javaworld.com discloses that one of the advantages of using 
an Enterprise Java Bean as a container is that an application would have almost 
transparent scalability (EJB advantages, item 3). As Wiederhold discloses that his/her 
invention could be used in a variety of environments from insurance companies, 
hospitals, and a military setting, it would be obvious to one of ordinary skill in the art at 
the time of the applicant's invention to use an Enterprise Java Bean container as this 
would allow the combination invention of Wiederhold and Devine to be scaled 
appropriately and easily for what ever type of environment it needs to operate. 
Claims 4 and 21: 

Wiederhold does not disclose said application container is a WebApp container. 
The examiner has interpreted WebApp to be the same thing as a web or Internet 
application and a WebApp container as a container which uses or runs on the web or 
Internet. Given that it would have been obvious to one of ordinary skill in the art at the 
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time of the applicant's invention to use Java technology in Wiederhold and Devine's 
combination invention because of the advantages disclosed byjavaworld.com (EJB 
advantages), it would also have been obvious that the application container can also be 
a WebApp container as Java is platform independent and commonly used in web or 
Internet based applications. Wiederhold discloses that his invention can be used by 
groups of people not normally found close together such as a hospital staff with an 
insurance company staff, it would have been obvious to use the Internet as a medium 
for sharing information and data between the various user groups. Since the Internet is 
used as the communication medium, it would be obvious to use a WebApp as the 
application container in Wiederhold and Devine's combination invention to ensure data 
proper data privacy between the various groups as seen in Fig. 1 of Wiederhold. 

Claims 14 and 31 are rejected under 35 U.S.C. 103(a) as being unpatentable 
over Wiederhold (US 6,226,745) and in view of Devine et al (US 6,606,708) and further 
in view ofjavaworld.com and java.sun.com. 
Claims 14 and 31: 

Wiederhold does not disclose wherein said interface mechanism includes a Java 
J2EE security interface. However, as pointed out already, it would have been obvious 
to one of ordinary skill in the art at the time the applicants invention was made to use 
Enterprise Java Bean technology with Wiederhold and Devine's combination invention. 
Further, according to java.sun.com, Enterprise Java Beans technology is "the server- 
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side component architecture for the Java 2 Platform, Enterprise Edition (J2EE) platform" 
(java.sun.com, 1 st paragraph). Therefore, it would have also been obvious to one of 
ordinary skill in the art at the time of the applicant's invention to make the interface 
mechanism include a Java J2EE security interface as using Enterprise Java Bean/J2EE 
technology would make the invention more flexible in terms of scalability. 

Conclusion 

The prior art made of record and not relied upon is considered pertinent to 
applicant's disclosure. Blewett (US 5,551,040) discloses modern GUI systems uses 
callback programming style. 

Applicant's amendment necessitated the new ground(s) of rejection presented in 
this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP 
§ 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 
CFR 1.136(a). 

A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS from the mailing date of this action. In the event a first reply is filed within 
TWO MONTHS of the mailing date of this final action and the advisory action is not 
mailed until after the end of the THREE-MONTH shortened statutory period, then the 
shortened statutory period will expire on the date the advisory action is mailed, and any 
extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of 
the advisory action. In no event, however, will the statutory period for reply expire later 
than SIX MONTHS from the date of this final action. 
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Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Ponnoreay Pich whose telephone number is 571-272- 
7962. The examiner can normally be reached on 8:00am-4:30pm Mon-Fri. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Kim Vu can be reached on 571-272-3859. The fax phone number for the 
organization where this application or proceeding is assigned is 703-872-9306. 

Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). 
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